18.783 Elliptic Curves
Problem Set #9
Spring 2015
Due: 04/17/2015
Description
These problems are related to the material covered in Lectures 17-18. As usual, the first
person to spot each non-trivial typo/error will receive 1–3 points of extra credit.
Instructions: Either solve both problems 1 and 2, or just problem 3. Then complete
Problem 4, which is a survey.
Problem 1 is a continuation of problem 1 on Problem Set 8 that gives an explicit
example of Theorem 17.2. Problems 2 and 3 are related to the ideal class group of an
imaginary quadratic order. Problem 2 introduces binary quadratic forms and proves the
finiteness of the class group (with an explicit upper bound). Problem 3 gives an explicit
proof that the class group is actually a group, and develops an explicit algorithm for
computing the group operation. Both problems 1 and 2 involve some coding, while
problem 3 does not require any (but there is an optional coding part in problem 3 that
will allow you to skip any other part of the problem if you choose to do it).
Problem 1. Complex multiplication (40 points)
√
Let τ = (1 + −7)/2. In problem 1 of Problem Set 8 you computed j(τ ) = −3375. In
problem 2 of Problem Set 7 you proved that the endomorphism ring of the elliptic curve
y2 = √
x3 − 35x − 98 (with j-invariant −3375) is isomorphic to [1, τ ], the maximal order
of Q( −7). We now set g2 := −4(−35) = 140 and g3 := −4(−98) = 392 and work with
the isomorphic elliptic curve E/C defined by
y 2 = 4x3 − g2 x − g3 ,
which is isomorphic to y 2 = x3 − 35x − 98.
We should note that g2 ([1, τ ]) and g3 ([1, τ ]) are not equal to 140 and 392, but there
is a lattice L homothetic to [1, τ ] for which g2 (L) = 140 and g3 (L) = 392 (you computed
the lattidce L in problem 2 of Problem Set 8). In particular, τ L ⊆ L, thus τ satisfies
condition (1) of Theorem 17.2. The goal of this problem is to compute the polynomials
u, v ∈ C[x] for which condition (2) of Theorem 17.2 holds, and the endomorphism φ for
which condition (3) of Theorem 17.2 holds, and to explicitly confirm that the diagram
C/L
Φ
τ
C/L
E(C)
φ
Φ
E(C)
commutes, where τ denotes the multiplication-by-τ map z 7→ τ z.
Recall that the Weierstrass ℘-function satisfying the differential equation
℘0 (z)2 = 4℘(z)3 − g2 ℘(z) − g3
has a Laurent series expansion about 0 of the form ℘(z) = z −2 +
1
(1)
P∞
n=1 a2n z
2n .
(a) Use g2 and g3 to determine a2 and a4 , and then determine a6 by comparing coefficients in the Laurent expansions of both sides of (1).
We now wish to compute the polynomials u, v ∈ C[x] for which
u ℘(z)
,
℘(τ z) =
v ℘(z)
as in condition (2) of Theorem 17.2. We have N(τ ) = τ τ̄ = 2, so deg u = 2 and deg v = 1.
We can make u = x2 + ax + b monic, and with v = cx + d we must have
(c℘(z) + d)℘(τ z) = ℘(z)2 + a℘(z) + b
(2)
(b) Use (2) to determine the coefficients a, b, c, d, expressing your answers in terms of
τ . It will be convenient to work in the subfield K = Q(τ ), rather than C. To define
the field K and the polynomial ring K[x] in Sage, use
RQ.<w>=PolynomialRing(QQ)
K.<tau>=NumberField(wˆ2-w+2)
RK.<x>=PolynomialRing(K)
Once you have determined a, b, c, d ∈ K, you can verify u, v ∈ K[x] via1
RL.<z>=LaurentSeriesRing(K,100)
wp=EllipticCurve([-35,-98]).weierstrass_p(100).change_ring(K)
assert wp(tau*z) == u(wp(z))/v(wp(z))
(c) Following the proof of Theorem 17.2, construct polynomials s, t ∈ K[x] that satisfy
s ℘(z) 0
0
℘ (z).
℘ (τ z) =
t ℘(z)
You can verify your results in Sage via
wpp = wp.derivative()
assert wpp(tau*z) == s(wp(z))/t(wp(z))*wpp(z)
s(x) (d) Now let φ = u(x)
v(x) , t(x) y . Use Sage to verify that φ is an endomorphism by checking
that its coordinate functions satisfy the curve equation y 2 = 4x3 − g2 x − g3 .
The symbolic verifications in parts (b) and (d) confirm that Φ(τ z) = φ(Φ(z)), showing
that the diagram commutes (at least for the first 100 terms in the Laurent expansion
of ℘(z)). But we would like to explicitly check this for some specific values of z ∈ C.
In order to do this in Sage, we need to redefine τ and the polynomials u, v, s, t over C,
rather than K. Use the following Sage script to do so:
R.<X>=PolynomialRing(CC)
pi=K.embeddings(CC)[0]
tauC=pi(tau)
uC=sum([pi(u.coeffs()[i])*Xˆi
vC=sum([pi(v.coeffs()[i])*Xˆi
sC=sum([pi(s.coeffs()[i])*Xˆi
tC=sum([pi(t.coeffs()[i])*Xˆi
for
for
for
for
1
i
i
i
i
in
in
in
in
range
range
range
range
(0,u.degree()+1)])
(0,v.degree()+1)])
(0,s.degree()+1)])
(0,t.degree()+1)])
Sage effectively computes ℘(z) using y 2 = 4x3 − g2 x − g3 when we define E : y 2 = x3 + Ax + B with
g2 = −4A and g3 = −4B.
2
(e) Pick three “random” nonzero complex numbers z1 , z2 , z3 of norm less than 0.1 (they
need to be close to 0 in order for the Laurent series of ℘(x) to converge quickly).
You can approximate the point P1 = Φ(z1 ) = ℘(z1 ), ℘0 (z1 ) on the elliptic curve
y 2 = 4x3 − g2 x − g3 in Sage using2
wp = EllipticCurve([CC(-35),CC(-98)]).weierstrass_p(100)
wpp = wp.derivative()
P1=(wp.laurent_polynomial()(z1),wpp.laurent_polynomial()(z1))
For i = 1, 2, 3, compute the points Pi = Φ(zi ) and Qi = Φ(τ zi ) (remember to use
the embedding of τ in C). Check that the points all approximately satisfy the curve
equation y 2 = 4x3 − g2 x − g3 (if not, use zi with smaller norms). Then verify that
Qi and φ(Pi ) are approximately equal in each case. Report the values of zi , Pi , Qi
and φ(Pi ).
Problem 2. Binary quadratic forms (60 points)
A binary quadratic form is a homogeneous polynomial of degree 2 in two variables:
f (x, y) = ax2 + bxy + cy 2 ,
which we identify by the triple (a, b, c). We are interested in a specific set of binary
quadratic forms, namely, those that are integral (a, b, c ∈ Z), primitive (gcd(a, b, c) = 1),
and positive definite (b2 − 4ac < 0 and a > 0). Henceforth we shall use the word form to
refer to an integral, primitive, positive definite, binary quadratic form. The discriminant
of a form is the negative integer D = b2 − 4ac, which is evidently a square modulo 4.
We call such integers (imaginary quadratic) discriminants, and let F (D) denote the set
of forms with discriminant D.
(a) For each γ = ( us vt ) ∈ SL2 (Z) and f (x, y) ∈ F (D) define
f γ (x, y) := f (sx + ty, ux + vy).
Show that f γ ∈ F (D), and that this defines an right group action of SL2 (Z) on the
set F (D) (this means f I = f and f (γ1 γ2 ) = (f γ1 )γ2 ).
Forms f and g are (properly) equivalent if g = γf for some γ ∈ SL2 (Z). In this
problem and the next, you will prove that the set cl(D) of SL2 (Z)-equivalence classes of
F (D) forms a finite abelian group, and develop algorithms to compute in this group.
The group cl(D) is called the class group, and it plays a key role in the theory of
complex multiplication. Our first objective is to prove that cl(D) is finite, and to develop
an algorithm to enumerate unique representatives of its elements (which also allows us
to determine its cardinality). We define the (principal) root τ of a form f = (a, b, c) to
be the unique root of f (x, 1) in the upper half plane:
√
−b + D
τ=
.
2a
Recall that SL2 (Z) acts on the upper half plane H via linear fractional transformations
sτ + t
s t
τ=
,
u v
uτ + v
2
You need to use the laurent polynomial method in order to evaluate wp at a complex number.
3
and that the set
F = τ ∈ H : re(τ ) ∈ [−1/2, 0] and |τ | ≥ 1 ∪ τ ∈ H : re(τ ) ∈ (0, 1/2) and |τ | > 1
is a fundamental region for H modulo the SL2 (Z)-action.
(b) Prove that γ ∈ SL2 (Z) acts compatibly on forms and their roots by showing that
if τ is the root of f , then γ −1 τ is the root of f γ . Conclude that two forms are
equivalent if and only if their roots are equivalent.
A form f = (a, b, c) is said to be reduced if
−a < b ≤ a < c
or
0 ≤ b ≤ a = c.
(c) Prove that a form is reduced if and only if its root lies in the fundamental region F.
Conclude that each equivalence class in F (D) contains exactly one reduced form.
p
(d) Prove that if f is reduced then a ≤ |D|/3. Conclude that the set cl(D) is finite,
and show that in fact its cardinality h(D) satisfies h(D) ≤ |D|/3. Prove that F (D)
contains a unique reduced form (a, b, c) with a = 1, and conclude that h(−3) =
h(−4) = 1.
The positive integer h(D) is called the class number of the discriminant D. The
bound h(D) ≤ |D|/3 is a substantial overestimate. In fact, h(D) = O(|D|1/2 log |D|), but
proving this requires some analytic number theory that is beyond the scope of this course.
Under the generalized Riemann hypothesis one can show h(D) = O(|D|1/2 log log |D|).
(e) Give an algorithm to enumerate the reduced forms in F (D). Using the upper bound
h(D) = O(|D|1/2 log |D|), prove that your algorithm runs in O(|D|M(log |D|)) time.
(f ) Implement your algorithm and use it to enumerate the five reduced forms in F (−103)
and the six reduced forms in F (−396). Then use it to compute h(D) for the first
three discriminants D < −N , where N is the integer formed by the first four digits
of your student ID.
Problem 3. The class group (100 points)
In Problem 2 it was proved that cl(D) is a finite set. In this problem you will prove that
it is an abelian group, and develop an algorithm to implement the group operation. The
implementation of the algorithm in part (k) is optional, but if you choose to do part (k)
then are are free to omit the answer to any one of parts (a)-(j) without penalty.
√
To each form f (x, y) = ax2 + bxy + cy 2 in F (D) with root τ = (−b + D)/(2a), we
associate the lattice L(f ) = L(a, b, c) = a[1, τ ].
(a) Show that two forms f, g ∈ F (D) are equivalent if and only if the lattices L(f ) and
L(g) are homothetic.
For any lattice L, the order of L is the set
O(L) = {α ∈ C : αL ⊆ L}.
4
(b) Prove that either O(L) = Z or O(L) is an order in an imaginary quadratic field,
and that homothetic lattices have the same order. Prove that if L is the lattice
√ of
a form in F (D), then O(L) is the order of discriminant D in the field K = Q( D).
For the rest of this problem let O denote the (not necessarily maximal) imaginary
quadratic order of discriminant D, which may be represented as a lattice [1, ω], where ω
is an algebraic integer whose minimal polynomial x2 +bx+c has discriminant b2 −4c = D.
Recall that an (integral) O-ideal a is an additive subgroup of O that is closed under
multiplication by O. Every O-ideal a is necessarily a sublattice of O, and its norm N (a)
is the index [O : a] = |O/a|. An O-ideal a is said to be proper if O(a) = O. In Lecture
18 we showed that a is proper if and only if it is invertible as a fractional ideal, which
explains our interest in this property. Note that we always have O ⊆ O(a), so when O
is maximal every nonzero O-ideal is proper.
(c) Prove that if L(a, b, c) = a[1, τ ] is the lattice of a form in F (D), then L is a proper
O-ideal of norm a, where O = O(L) = [1, aτ ].
(d) Conversely prove that every proper O-ideal a is homothetic to the lattice of a form
in F (D). Show that the assumption that a is proper is necessary by giving an explicit
example of an O-ideal a that is not proper (so by (c) it cannot be homothetic to the
lattice of a form in F (d)).
(e) Prove that if the norm of a is relatively prime to the conductor u = [OK : O] of O
then a is proper. Give an explicit example showing that the converse is not true
(hint: the converse is true when a is a prime ideal).
The product of two lattices [ω1 , ω2 ] and [ω3 , ω4 ] in C is defined to be the additive
group generated by {ω1 ω3 , ω1 ω4 , ω2 ω3 , ω2 ω4 }. In general, the product of two lattices
is not necessarily a lattice (it might not have rank 2 as a Z-module), but if the lattices
are O-ideals, then their product is an O-ideal and therefore a lattice (the lattice product
agrees with the usual definition of the product of ideals).
(f ) Let cl(O) denote the set of equivalence classes (under homothety) of lattices that
are proper O-ideals. Prove that the lattice product makes cl(O) into an abelian
group. Conclude that the corresponding operation on the equivalence classes of
F (D) makes cl(D) into an abelian group that is isomorphic to cl(O).
To perform explicit computations in cl(D) we need to translate the product operation
on lattices L(f1 ) and L(f2 ) into a corresponding product operation on forms f1 , f2 ∈
F (D). This is known as composition of forms, and is performed as follows. If f1 =
(a1 , b1 , c1 ) and f2 = (a2 , b2 , c2 ) are forms in F (D), then let s = (b1 + b2 )/2 (this is an
integer because b1 , b2 and D all have the same parity). Use the extended Euclidean
algorithm (twice) to compute integers u, v, w, and d such that ua1 + va2 + ws = d =
gcd(a1 , a2 , s). The composition of f1 and f2 is then given by
a1 a2
2a2
b23 − D
f1 ∗ f2 = (a3 , b3 , c3 ) =
, b2 +
(v(s − b2 ) − wc2 ),
.
d2
d
4a3
It is a straight-forward but tedious task to verify that this composition formula satisfies
L(f1 ∗ f2 ) = L(f1 ) ∗ L(f2 ); you are not asked to do this.
5
(g) Verify that the inverse of (a, b, c) is (a, −b, c) and that the unique reduced from with
a = 1 acts as the identity (see Problem 2 for the definition of a reduced form).
Unfortunately, even if f1 and f2 are reduced forms, the composition of f1 and f2 need
not be reduced. In order to compute
in cl(D) effectively, we need a reduction algorithm.
Recall the matrices S = 01 −1
and
T
= ( 10 11 ) that generate SL2 (Z).
0
(h) Let f be the form (a, b, c). Compute the forms Sf , T m f , and T −m f , for a positive
integer m.
A form (a, b, c) with −a < b ≤ a is said to be normalized.
(i) Show that for any form f there is an integer m such that T m f is normalized, and
give an explicit formula for m. Let us call T m f the normalization of f . Now let
f = (a, b, c) be a normalized form and prove the following:
p
(a) If a < |D|/2 then f is reduced.
p
(b) If a < |D| and f is not reduced, then the normalization of Sf is reduced.
p
(c) If a ≥ |D| then the normalization (a0 , b0 , c0 ) of Sf has a0 ≤ a/2.
(j) Give an algorithm to compute the reduction of a form f in F (D), and bound its
complexity as a function of n = log |D|, assuming that its coefficients are O(n) bits
in size. Then bound the complexity of computing the reduction of the product of
two reduced forms (this corresponds to performing a group operation in cl(D)).3
Optional: If you choose to do part (k) below you may choose not to answer any one of
parts (a)–(j) above without penalty.
(k) Implement your algorithm and use it to compute the reduction of a form (a, b, c) ∈
F (D), with a equal to the least prime greater than |D|2 for which ( D
a ) = 1. Do this
for the discriminants D = −103 and D = −396, and for the first three discriminants
D < −N , where N is the first four digits of your student ID. For the largest |D|,
list the sequence of normalized forms computed during the reduction.
Problem 4. Survey
Complete the following survey by rating each of the problems you attempted on a scale
of 1 to 10 according to how interesting you found the problem (1 = “mind-numbing,” 10
= “mind-blowing”), and how difficult you found it (1 = “trivial,” 10 = “brutal”). Also
estimate the amount of time you spent on each problem to the nearest half hour.
Interest
Difficulty
Time Spent
Problem 1
Problem 2
Problem 3
Also, please rate each of the following lectures that you attended, according to the quality
of the material (1=“useless”, 10=“fascinating”), the quality of the presentation (1=“epic
fail”, 10=“perfection”), the pace (1=“way too slow”, 10=“way too fast”, 5=“just right”)
and the novelty of the material (1=“old hat”, 10=“all new”).
3
A quasi-linear bound is known [1], but your bound does not need to be this tight. However it should
be polynomial in n.
6
Date
4/9
4/14
Lecture Topic
Complex Multiplication
Isogenies over C, modular curves
Material
Presentation
Pace
Novelty
Please feel free to record any additional comments you have on the problem sets or
lectures, in particular, ways in which they might be improved.
References
[1] A. Schönhage, Fast reduction and composition of binary quadratic forms, in International Symposium on Symbolic and Algebraic Computation–ISSAC’91, ACM, 1991,
128–133.
7